langfuse
Warn
Audited by Socket on May 17, 2026
1 alert found:
AnomalyAnomalySKILL.md
LOWAnomalyLOW
SKILL.md
SUSPICIOUS: mostly coherent Langfuse observability skill with proportionate Langfuse credentials and normal PyPI-based installation, but it relies on a third-party community MCP package instead of the official Langfuse MCP server and forwards secret keys to that external code. This is not confirmed malware, but the trust and credential-forwarding model creates meaningful security risk, especially if users point LANGFUSE_HOST at untrusted self-hosted endpoints or enable write operations.
Confidence: 88%Severity: 68%
Audit Metadata